Virtualhost Conf - Disable Cgi?

I'm working my way though making my server more secure - I've created custom httpd.conf files for each of my virtual domains (Because my httpd.conf told me too - I followed a guide, and im sure this was done right)

My question is --

If my httpd.conf file has this line:

AddHandler cgi-script .cgi .pl

If I put this in my custom conf file:

# AddHandler cgi-script .cgi .pl

Will cgi be disabled - or does it take the uncommented AddHandler from the actual conf file?

I think other things should work, for example, in my custom file, I've put:

ServerSignature Off
TraceEnabled Off

Which I think will override the "On" in the generated httpd.conf file -- what made me wonder is if a commented-out command would override the original file.

Staff Member

Could you clarify the exact method you are using to modify the Apache configuration file? Also, are you attempting to disable Perl for security purposes? If so, I would like to paste to you the response from another analyst regarding a similar request:

What needs to be understood is the distinction between a script that provides an entry point for an attacker, and a script that is executed by an attacker. Let me give you an example. Old versions of Joomla, a popular PHP-based application, are known for allowing an attacker to execute code remotely. What happens is this:

The attacker finds a Joomla-based site running an old, insecure version of Joomla.
The attacker sends a call to the Joomla site to trigger the vulnerability that allows remote code execution.
The attacker uploads his desired script through the vulnerable Joomla application and executes it on your server.

It is important to understand that it does not matter what language the attacker's script is written in. Once the attacker finds a vulnerable script on one of your sites, a script that will allow remote code execution, the attacker will upload and execute code. If you disable Perl, the attacker will upload and execute a PHP script. If you disable PHP, the attacker may upload and execute a Python script. If you disable Python, the attacker may upload and execute a script for the C shell or Korn shell, or any other shell that may be available on Unix or Linux.

This is why trying to disable a language interpreter, such as Perl, from being used by your users is a futile effort. No matter what you do, the issue that would lead to Perl being used by an attacker's script is that a script on your server is vulnerable to being used to execute code remotely. By the time the attacker invokes the Perl interpreter to run his/her script, it is already too late, because he/she has already exploited the vulnerable script on your site.

The only way to prevent this type of behavior is to audit the scripts on your sites and identify those that may allow remote code execution. This is not easy or fast, and it requires the assistance of a security expert who can identify this type of issue for you. It is, however, the only way to truly secure your server against abuse caused by remote code execution. Trying to prevent this abuse by disabling the Perl interpreter, or the PHP interpreter, or the Python interpreter, or any other interpreter is not a good approach.

I'm using Putty to ssh and then using the following command to edit the file...

pico /var/cpanel/templates/apache2/main.local

The changes I made stick in the "main.local" file -- but then I try to make the changes go over to the httpd.conf file with the following:

# Checks changes are ok:
/scripts/verify_vhost_includes

# Rebuild apache:
/scripts/rebuildhttpdconf

# Restart Apache:
/etc/init.d/httpd restart

I'm hoping by disabling cgi -- even if a hacker is able to upload a script (however they do it - I don't know!) -- they wont be able to run the script once they get it on there.

I've blocked all "bad" functions in PHP (eval,system,exec,etc) -- so if a hacker uploads a hacking shell in PHP - so hopefully they wont be able to do anything. But I don't use perl or cgi - so I'd just like to turn that off completely to stop hacking risks.

Staff Member

Feel free to open a support ticket using the link in my signature if the methods provided in our documentation are not working as intended. You can post the ticket number here so we can update this thread with the outcome.